 The piece of documentation I want most for the modern web is something that explains to me what variants of a "set-cookie:" header work in which modern browsers under which conditions There's a ton of stuff out there about "Total Cookie Protection" in Firefox and "Privacy Sandbox" in Chrome, but I cannot figure out what it actually means for me as a web developer! I need protocol-level documentation for all of this stuff. 17 comments
 @simon thanks for this. I was actually wondering, today, whether I’m using SameSite correctly in a PR. https://github.com/zooniverse/front-end-monorepo/pull/6216#discussion_r1737125967 I just read the FAQ for Firefox "Total Cookie Protection" and I am sadly no closer to understanding what impact Total Cookie Protection has on how I should build web applications - I'm particularly interested in understanding how it impacts things like OAuth SSO https://support.mozilla.org/en-US/kb/total-cookie-protection-and-website-breakage-faq @simon OAuth doesn't use third-party cookies so I believe it's all good. The problem is with SSO systems which use third-party cookies to transparently log you in across several domains. @russss aaah gotcha - that’s the thing that caused the Chrome team to implement their weird 2-minute twist https://simonwillison.net/2021/Aug/3/samesite/#chrome-2-minute-twist @simon There's some work going on at https://johannhof.github.io/draft-annevk-johannhof-httpbis-cookies/draft-annevk-johannhof-httpbis-cookies.html to specify this. Does that draft at least improve the situation? I believe they're accepting complaints and suggestions. @jyasskin that looks great! The thing that's missing is exact documentation as to which version of which browsers implement which policies - three years ago I was having trouble figuring out which browsers had actually implemented SameSite=lax by default, the situation on that is no better today! @simon I think https://caniuse.com/mdn-http_headers_set-cookie_samesite_lax_default answers that question? I haven't checked that it's correct, but generally it'd be nice for `caniuse` to answer questions about how completely each browser implements consensus and proposed standards. @jyasskin sadly that doesn’t cover the deeper issue of what happens if you send set-cookie without a SameSite attribute at all - or weird undocumented edge-cases like what changes if a Safari user turns on “Prevent Cross-Site Tracking” @Melaskia I’ll be honest: I don’t even completely understand what the term “third party cookie” means at the level of sending set-cookie headers! @simon A first party cookie is when the website sends a cookie for its corresponding domain. |
Gregory's Server
A few years ago I put a bunch of work into figuring out the SameSite cookie attribute because the documentation for how that actually worked was so thin on the ground https://simonwillison.net/2021/Aug/3/samesite/